Deploy Secure Tunnel
This topic describes how to set up and configure Secure Tunnel in order to securely connect to your SIEM servers and your remote access PSM servers.
For details, see Connect to SIEM and Configure the PSMs through the Secure Tunnel wizard.
Disable the antivirus agent if it is installed on your server.
Consider the following:
Connector client machine name must be unique
The name of the Connector client machine must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.
Secure Tunnel port Check that this port is free for use. If not, see Secure Tunnel troubleshooting for steps on how to configure a different port.
Remote access for employees
If you are configuring remote access for your employees, you must also configure the designated PSMs. For details, see Configure remote access for employees.
Configure Secure Tunnel to connect through a proxy server
This option is supported in Secure Tunnel v3.1 and up.
Connecting to Privilege Cloud through proxy is supported by Secure Tunnel only when SIEM/Remote Access are in a network where the internet connection is behind a proxy.
Connecting through a proxy applies to Secure Tunnel only, and does not affect CPM or PSM components.
Install and configure the Secure Tunnel on the Connector machine.
To install and configure the Secure Tunnel:
The Secure Tunnel includes an installation tool and a configuration tool. When you install the Secure Tunnel for the first time, the configuration tool is launched automatically after the installation is complete. To make changes to a previously installed Secure Tunnel, run the configuration tool.
- From the Privilege Cloud software package that you downloaded in Deploy the Privilege Cloud Connector, copy the Secure Tunnel zip file and unzip the package.
- On the Select Installation Folder page, enter the location of the installation folder, and click Next.
On the Ready to Install page, click Install.
When the installation is complete, click Finish, and the configuration tool is launched.
If you do not want to configure the Secure Tunnel at this time, you can close the wizard and launch the configuration tool later. When you close the installation wizard, a shortcut to the configuration tool is created on the desktop. You can open the configuration tool either from the desktop shortcut or from the installation folder at any time.
On the Authenticate to Privilege Cloud page, enter the following details and click Next.
Subdomain or Customer ID
The subdomain is your system identifier in the system address, as displayed in the Privilege Cloud Portal FQDN:
Enter only the <subdomain> identifier, not the whole URL.
Alternatively, use the Customer ID
provided to you in the Welcome to CyberArk Identity Security Platform Shared Services email. User name & Password Enter the installeruser name (installeruser@<suffix>) and password that you set before you started the installation process (see Before you begin).
Optionally, configure Secure Tunnel to connect through a proxy server. If you do not want Secure Tunnel to work on proxy, skip this step.Configure Secure Tunnel to connect through a proxy server
As Administrator, access C;/Program Files/CyberArk/PrivilegeCloudSecureTunnel/config and open application.properties in Notepad.
Edit the following properties:
proxyservice.explicitProxyAddress - remove the comment (#) and add the IP/FQDN of the proxy server
proxyservice.explicitProxyAddress - remove the comment (#) and add the port number that supports communications with the proxy server
proxyservice.explicitProxyDnsResolving - To resolve DNS under the proxy, remove the comment (#) and set the value to true.
Save the application.properties file.
Return to the Secure Tunnel installer wizard and complete the wizard installation.
Restart the CyberArkPrivilegeCloudSecureTunnel service as described in the last step.
On the Configure on-premise components page, add the components that you want to connect through the Secure Tunnel, and click Configure Components.
Enter the following information:
Select one of the following components:
SIEM: Up to five Syslog servers can be connected to Privilege Cloud at one time.
PSM-RDP: No limit to how many servers can be connected to Privilege Cloud at one time.
The hostname or IP address of component server.
PSM for remote access use
sTLS communication and must include a hostname.
The following domains cannot be used as host names for Secure Tunnel configuration:
The port used for connecting the Secure Tunnel server to the component server.
Click Advanced to display this column.
Typically, the ports used for these components are:
- SIEM - 1468
If you are using different ports, edit this field for the relevant component.
The port used by the CyberArk to interface with your Secure Tunnel.
Click Advanced to display this column. The Remote Port is provided to you by CyberArk support.
Each interface has a default port. For multiple instances the ports are numbered sequentially.
Typically, the ports used for these components are:
- SIEM - 1468 (first SIEM instance), 1469, etc.
Access through Secure Tunnels
You can configure which Secure Tunnels your servers will access through, even if these Secure Tunnels are running on a different machine.
Optionally, only if you are configuring the Secure Tunnel to connect through a proxy server, restart Secure Tunnel:
In Windows Task Manager > Services, restart CyberArkPrivilegeCloudSecureTunnel.
Post installation steps
After installing Secure Tunnel:
Enable antivirus on the secure tunnel server.
If antivirus is not installed on the server, install it now.
Optionally, control access by defining secure zones.
If using secure zones for controlled access, define the Secure Tunnel's internet-facing IP address as a secure zone, to ensure it can communicate with the CyberArk backend.
If access is through a proxy, define the proxy address as a secure zone.
Learn about access control by applying secure zones.
You can now connect to secure tunnel any of the following:
Supported connections - scope
The following table includes the number of component connections, per component type, that the Secure Tunnel supports.